T 2.38 Lack of, or inadequate implementation of database security mechanisms

Database software normally includes a number of security mechanisms that allow data to be protected against unauthorised access and similar intrusions. However, most of these mechanisms do not activate automatically and need to be activated manually from the database administrator. If none of these mechanisms is used, neither the confidentiality nor the integrity of the data can be guaranteed. In such cases, it is usually not possible to identify and log security violations. The consequences of this can range from the manipulation and loss of data to the destruction of the database.

Example:

In the case of the MS Access database, activation of the password is optional. Due to this it is quite possible to gain unauthorised access to the database and to therefore also have unauthorised access to all kinds of data stored inside the database. In this case, any auditing of database access is not possible.